Using Pre-Authenticated Requests

Pre-authenticated requests provide a way to let users access a bucket or an object without having their own credentials, as long as the request creator has permissions to access those objects. For example, you can create a request that lets an operations support user upload backups to a bucket without owning API keys. Or, you can create a request that lets a business partner update shared data in a bucket without owning API keys.

When you create a pre-authenticated request, a unique URL is generated. Users in your organization, partners, or third parties can use this URL to access the Object Storage resource target identified in the pre-authenticated request.

Important

Carefully assess the business requirement for and the security ramifications of pre‑authenticated access to a bucket or objects.

A pre-authenticated request URL gives anyone who has the URL access to the targets identified in the request for as long as the request is active. In addition to considering the operational needs of pre-authenticated access, it is equally important to manage its distribution.

Required Permissions

You need PAR_MANAGE permission access to the target bucket or object to create or manage pre-authenticated requests.

You also need permission to perform the action the pre-authenticated request is permitting. For example, if you are creating a pre-authenticated request for uploading an object, you must have both the PAR_MANAGE and the OBJECT_CREATE permissions in the target compartment.

Important

If the user who creates a pre-authenticated request is deleted or loses the OBJECT_CREATE permission after they created the request, then the request no longer works.

Options

When creating a pre-authenticated request, you have the following options:

You can configure the name of a specific bucket that a user has write access to and can upload one or more objects to.

You can configure the name of a specific object that a user can read from, write to, or read from and write to.

You can configure the expiration date for the request.

Scope and Constraints

Understand the following scope and constraints regarding pre-authenticated requests:

Users can't list bucket contents.

There is no hard limit on the number of pre-authenticated requests that you can create.

You can't edit a pre-authenticated request. If you want to change user access options in response to changing requirements, you need to create a new pre‑authenticated request.

The target and actions for a pre-authenticated request are based on its creator's permissions. The request is not, however, bound to the creator's account login credentials. A pre-authenticated request is not affected if the creator's login credentials change.

If the user who created a pre-authenticated request is deleted, then the request no longer works.

You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an object in that bucket.

Working with Pre-Authenticated Requests

You can create, delete, or list pre-authenticated requests using the Console, using the CLI, or by using an SDK to access the API.

Important

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.

Using the Console

See Service Limits for a list of applicable limits and instructions for requesting a limit increase.

Open the navigation menu. Under Core Infrastructure, click Object Storage.

Choose the compartment where the bucket is.

Click the bucket name.

Click Pre-Authenticated Requests under Resources to display the list of pre-authenticated requests.

Click Create Pre-Authenticated Request.

Provide the following information:

Name: The system generates a default, pre-authenticated request name that reflects the current year, month, day, and time, for example par-bucket-20190307-0915. If you change this default or any other pre-authenticated request name, use letters, numbers, dashes, underscores, and periods. Type a name for the request, for example: bucketPAR. Avoid entering confidential information.

Pre-Authenticated Request Target: Pick Bucket.

Expiration: Accept the system-generated expiration date of use the date and time editor to pick a different expiration date and time.

Click Create Pre-Authenticated Request.

After a request is created, the Pre-Authenticated Request Details dialog displays the URL used to access the bucket, for example https://objectstorage.server.company.com/p/_QLD5xGz6vi7s6CkWnsqdgPJLpLE3a3sCBiDyoGCn3Q/n/tenancy/b/user_bucket_01-11-2019/o/.

Click Copy to copy the URL for future reference.

Note

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.

Open the navigation menu. Under Core Infrastructure, click Object Storage.

Choose the compartment where the bucket is.

Click the bucket name.

Click Objects under Resources to display the list of objects.

For the object you want to create a pre-authenticated request, click the Actions icon (three dots), and then click Create Pre-Authenticated Request.

Provide the following information:

Name: The system generates a default, pre-authenticated request name that reflects the current year, month, day, and time, for example par-object-root-datatable.data-20190307-0948. If you change this default or any other pre-authenticated request name, use letters, numbers, dashes, underscores, and periods. Type a name for the request, for example: bucketPAR. Avoid entering confidential information.

Pre-Authenticated Request Target: Pick Object.

Object Name: The name of the object to be authenticated by this rule.

Access Type: Pick one of the following.

Permit read on the object

Permit writes to the object

Permit reads on and writes to the object

Expiration: Accept the system-generated expiration date of use the date and time editor to pick a different expiration date and time.

Click Create Pre-Authenticated Request.

After a request is created, the Pre-Authenticated Request Details dialog displays the URL used to access the object.

Click Copy to copy the URL for future reference.

Note

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.

You must use the AnyObjectWrite enum value with the --access-type flag. Pre-authenticated requests for buckets permit writes to the bucket by default.

The <timestamp> value must be an RFC 3339 time stamp. For example: 2017-09-01T00:09:51.000+02:00.

Note

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.